WordPress Hacked-post-new.php infected (13 posts)

  1. zakiwarfel
    Posted 6 years ago #

    I've recently had my WordPress install hacked. I'm running the latest version (2.9.1). The page that seems to be infected is the post-new.php page. All of the links from that page redirect to http://1dns.org.in/s/111.php, which is considered a fishing site by google. This is the only page in my WP install that appears to be infected.

    I've replaced that file, but it didn't work. I've done a fresh upgrade, but that didn't seem to work. Any suggestions for how to start over? I'd export my DB, but if the injection is in there, then I don't suppose it will help.

    FYI, I've also run WP exploit scanner, which resulted in the following:

    iframes can sometimes be used by hackers to load their own adverts and code on your site.

    r side of I-35 from the convention center.</p>
    <p><iframe width="300" height="300" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" src="http://maps.google.com/maps/m

    I did a search on the site for "I-35 from the convention center" but received no results.

    I'm really at a loss.

  2. Shane G.
    Posted 6 years ago #


    Refer this article:



    Shane G.

  3. lisa3711
    Posted 6 years ago #

    I have the EXACT same thing happening. Same results on scan, and same thing result from the scanner. Still working on trying to locate it. As far as I know, there are no iframes on the site.

    I don't think my post-new.php file was hacked. How did you find yours was hacked, and what was in it?

    PS: "I-35 from the convention center" for me resulted in references to this:

    "Location: Conjunctured coworking space, 1309 East 7th St., Austin, TX 78702. From the convention center, walk up to 7th Street, hang a right, and walk until you get to #1309. If you’re tired of walking, taking a cab is a decent option. Note that this is on the other side of I-35 from the convention center."

    I was wondering if there is an iframe on the dashboard page, including WP news....?

  4. dugbug
    Posted 6 years ago #


    search your SQL database for the string 1dns Who knows, maybe that will lead you somewhere.

    Also as a lot of info in that article Shane G pointed you to includes some hardening. Reinstalling without .htaccess tweaks and password changes, etc. won't do.

    Im a victim too, but a different attack.

  5. LisaH371
    Posted 6 years ago #

    Still battling this. Note, using Google's Anywhereindb search tool, I looked for 1dns. As above, looked for "<iframe width="300" " etc... no luck. It seems to affect just the front page: feeds, etc.. are all fine.
    Anyone have ideas?

  6. esmi
    Forum Moderator
    Posted 6 years ago #

  7. kikolani
    Posted 6 years ago #

    I used the Exploit Scanner plugin for WordPress and came up with the exact same warning about the transient feed. My site has been hacked twice in the last month (most recently this morning).

    I searched my database simply for I-35 and the specific information is in the WordPress wp_options table, Field: option_name, Type: varchar(64), Value: _transient_feed_0ff4b43bd116a9d8720d689c80e7dfd4

    It looks like an announcement for the 2010 WordPress Wordcamps with directions to one several location, one which includes the text lisa3711 wrote earlier.

    Is this a hack or part of the news? I don't want to mess with this in the database, and at the same time, I want to know how to get rid of the iframe vulnerability.

  8. kikolani
    Posted 6 years ago #

    Just to add, this transient_feed is in all of my WordPress sites, including ones that were NOT hacked and are not all running the same version of WordPress - my hacked sites (ironically) are updated to 2.9.2, whereas the ones that were not hacked were not updated.

  9. Steve D
    Posted 6 years ago #

    I have the I-35 transient also.

    I never authorized this to be in my blog and would like to know how to find it and REMOVE IT.

    I also have an unauthorized transient directing to cssjockey.
    which I never authorized also.

    Where do I locate these transients? I operate 2.9.2

  10. michaellinder
    Posted 6 years ago #

    Same here! Just had a pro clean my site, too. Grrrrr.

    I'd be most grateful if someone could ferret out this perp (if it's an attack!)

  11. Steve D
    Posted 6 years ago #

    I'm beginning to wonder why I am getting into blogging when I should be getting into security at this point. Cyber security Utopia.

  12. Inv_Trdr
    Posted 6 years ago #

    I am on 2.9.2 which I believe is the latest version. I am at GoDaddy so just went ahead and restored the site back to a few days ago. Try that. It might help.
    Thank you.

  13. Steve D
    Posted 6 years ago #

    Restores are easy. The real problem is did the criminals leave any back doors in our restored site.

    If only we had a scanner that will automatically remove and quarantine hacker code. Man that would be nice. I'd pay handsomely for something like that.

Topic Closed

This topic has been closed to new replies.

About this Topic